A system and method are disclosed for analyzing a network protocol stream for a security-related event. At least two states associated with the network protocol in which a first host system communicating with a second host system using the network protocol may be placed are identified. At least one valid transition between a first state of the at least two states and a second state of the at least two states is defined. The at least one valid transition is expressed in the form of a regular expression. The regular expression is used to analyze the network protocol stream.
|
20. A system for analyzing a network protocol stream between a first host system and a second host system for a security-related event, the first host system being susceptible to being placed under the network protocol in one of at least two valid states associated with the network protocol, the system comprising:
means for receiving the network protocol stream; and
means for analyzing the network protocol stream by:
determining that a connection under the network protocol is in a first state of the at least two valid states;
applying to a received packet associated with the connection:
a first regular expression corresponding to a valid transition from the first state of the at least two valid states to a second state of the at least two valid states; and
a plurality of regular expressions, the plurality of regular expressions corresponding to a plurality of invalid transitions from the first state of the at least two valid states to a pre-defined, invalid state, the plurality of invalid transitions being direct transitions from the first state to the invalid state; and
in the event it is determined by applying the plurality of regular expressions to the packet that the packet is associated with a particular one of the plurality of invalid transitions, taking a corresponding responsive action associated specifically with the particular one of the plurality of invalid transitions.
19. A system for analyzing a network protocol stream between a first host system and a second host system for a security-related event, the first host system being susceptible to being placed under the network protocol in one of at least two valid states associated with the network protocol, the system comprising:
a computer configured to:
receive a network protocol stream;
determine that a connection under the network protocol is in a first state of the at least two valid states; and
apply to a received packet associated with the connection:
a first regular expression corresponding to a valid transition from the first state of the at least two valid states to a second state of the at least two states, and
a plurality of regular expressions corresponding to a plurality of invalid transitions from the first state of the at least two valid states to a predefined, invalid state, the plurality of invalid transitions being direct transitions from the first state to the invalid state; and
in the event it is determined by applying the plurality of regular expressions to the packet that the packet is associated with a particular one of the plurality of invalid transitions, take a corresponding responsive action associated specifically with the particular one of the plurality of invalid transitions; and
a memory associated with the computer and configured to store the first regular expression.
21. A computer program product for analyzing a network protocol stream, the computer program product being embodied in a computer readable storage medium and comprising computer instructions for:
identifying at least two valid states in which a first host system communicating with a second host system using a network protocol may be placed;
defining at least one valid transition between a first state of the at least two states and a second state of the at least two valid states;
expressing the at least one valid transition in the form of a first regular expression; defining an invalid state associated with the network protocol; expressing a plurality of invalid transitions from the first state to the invalid state as a plurality of regular expressions, the plurality of invalid transitions being direct transitions from the first state to the invalid state;
determining that a connection under the network protocol is in the first state; and applying to a received packet associated with the connection:
the first regular expression to determine whether the packet is associated with the at least one valid transition, and
the plurality of regular expressions to determine whether the packet is associated with one of a plurality of invalid transitions; and in the event it is determined by applying the plurality of regular expressions to the packet that the packet is associated with a particular one of the plurality of invalid transitions, taking a corresponding responsive action associated specifically with the particular one of the plurality of invalid transitions.
1. A method for analyzing a network protocol stream for a security-related event, comprising:
identifying at least two valid states associated with a network protocol in which a first host system communicating with a second host system using the network protocol may be placed;
defining at least one valid transition between a first state of the at least two valid states and a second state of the at least two valid states;
expressing the at least one valid transition in the form of a first regular expression; defining an invalid state associated with the network protocol; expressing a plurality of invalid transitions from the first state to the invalid state as a plurality of regular expressions, the plurality of invalid transitions being direct transitions from the first state to the invalid state;
determining that a connection under the network protocol is in the first state;
a computer receiving a packet associated with the connection; and applying to the received packet associated with the connection:
the first regular expression to determine whether the packet is associated with the at least one valid transition, and
the plurality of regular expressions to determine whether the packet is associated with one of a plurality of invalid transitions; and in the event it is determined by applying the plurality of regular expressions to the packet that the packet is associated with a particular one of the plurality of invalid transitions, taking a corresponding responsive action associated specifically with the particular one of the plurality of invalid transitions.
2. A method for analyzing a network protocol stream as recited in
3. A method for analyzing a network protocol stream as recited in
4. A method for analyzing a network protocol stream as recited in
5. A method for analyzing a network protocol stream as recited in
6. A method for analyzing a network protocol stream as recited in
7. A method for analyzing a network protocol stream as recited in
8. A method for analyzing a network protocol stream as recited in
9. A method for analyzing a network protocol stream as recited in
10. A method for analyzing a network protocol stream as recited in
11. A method for analyzing a network protocol stream as recited in
12. A method for analyzing a network protocol stream as recited in
13. A method for analyzing a network protocol stream as recited in
keeping track of which state, from the set comprising the at least two valid states and the invalid state, the first host system currently is in; and
changing the state of the first host system to the invalid state in the event that the analysis of the network protocol stream indicates the invalid transition has taken place.
14. A method for analyzing a network protocol stream as recited in
15. A method for analyzing a network protocol stream as recited in
16. A method as recited in
17. A method as recited in
18. A method as recited in
|
This application claims priority to U.S. Provisional Patent Application No. 60/236,899 entitled SYSTEM AND METHOD FOR ANALYZING PROTOCOL STREAMS FOR A SECURITY-RELATED EVENT filed Sep. 28, 2000, which is incorporated herein by reference for all purposes.
This application is related to co-pending U.S. patent application Ser. No. 09/615,676 entitled SYSTEM AND METHOD FOR TRACKING THE SOURCE OF A COMPUTER ATTACK filed Jul. 14, 2000, which is incorporated herein by reference for all purposes; and co-pending U.S. patent application Ser. No. 09/615,961 entitled SYSTEM AND METHOD FOR PROTECTING A COMPUTER NETWORK AGAINST DENIAL OF SERVICE ATTACKS filed Jul. 14, 2000, which is incorporated herein by reference for all purposes; and co-pending U.S. patent application Ser. No. 09/615,888 entitled SYSTEM AND METHOD FOR DYNAMICALLY CHANGING A COMPUTER PORT OR ADDRESS filed Jul. 14, 2000, which is incorporated herein by reference for all purposes; and co-pending U.S. patent application Ser. No. 09/616,803 entitled SYSTEM AND METHOD FOR QUICKLY AUTHENTICATING MESSSAGES USING SEQUENCE NUMBERS filed Jul. 14, 2000, which is incorporated herein by reference for all purposes.
The present invention relates generally to computer network security. More specifically, a system and method for analyzing protocol streams for a security-related event is disclosed.
A host computer is a computer configured to communicate with one or more other computers via a network.
A network protocol may be used to facilitate communication between computers such as client 102 and server 108 shown in
HTTP and SMTP are application layer protocols, used to provide certain functionality to users (e.g., browser, in the case of HTTP, or electronic mail in the case of SMTP). Application layer protocols such as HTTP and SMTP may be employed in connection with more basic communication protocols, such as TCP, to send and receive messages via a network. The TCP protocol provides for the exchange of data in the form of discrete data packets. A communication session is established with the destination host computer. The outgoing message is broken into discrete packets, each assigned a sequence number indicating its place in the message. The packets may be received out of order, or not, and are reassembled at the destination host computer using the sequence numbers.
When a computer system, such as server 108 of
One way to identify a potential attack on a network-connected computer system, such as server 108 of
A second approach makes limited use of knowledge about the network protocol being used by the computers to communicate. For example, the router 106 may be configured to serve as a firewall or proxy programmed to screen incoming data packets to determine if they are valid under the network protocol being used. For example, a validly formatted request to synchronize would be delivered to the server, but a request to synchronize that was not validly formatted (for example, it exceeded a length limitation) or a packet that did not correspond to any valid symbol or command for the protocol would be rejected and not delivered to the server.
This latter approach, however, is limited to the validation of the format of individual messages and does not provide for the analysis of the entire protocol stream to identify a possible attack.
Moreover, neither of the approaches described above provides an efficient way to represent the various states in which either the client or server system may be with respect to a network protocol communication session, the interrelationship between states, nor the permissible transitions between states defined by the protocol, for purposes of modeling a normal and valid protocol stream and identifying possible attacks by detecting deviations from such normal and valid behavior. Therefore, there is a need for a way to efficiently model normal and valid protocol streams and to detect when an actual protocol stream deviates from the normal and valid behavior in a way that may indicate that an attack is taking place.
A system and method for analyzing protocol streams for a security-related event is disclosed. Regular expressions are used to implement a state machine, which efficiently models both normal and permissible behavior under a network protocol and known or anticipated potential deviations from such behavior. Deviations from normal and permissible behavior under the protocol are identified and processed.
It should be appreciated that the present invention can be implemented in numerous ways, including as a process, an apparatus, a system, a device, a method, or a computer readable medium such as a computer readable storage medium or a computer network wherein program instructions are sent over optical or electronic communication links. Several inventive embodiments of the present invention are described below.
A method for analyzing a network protocol stream for a security-related event is disclosed. In one embodiment, at least two states associated with the network protocol in which a first host system communicating with a second host system using the network protocol may be placed are identified. At least one valid transition between a first state of the at least two states and a second state of the at least two states is defined. The at least one valid transition is expressed in the form of a regular expression. The regular expression is used to analyze the network protocol stream.
A system for analyzing a network protocol stream for a security-related event is disclosed. In one embodiment, the system comprises a computer configured to receive and analyze the network protocol stream by processing a regular expression, the regular expression corresponding to a valid transition from a first state of at least two states to a second state of the at least two states. Memory associated with the computer is configured to store the regular expression.
These and other features and advantages of the present invention will be presented in more detail in the following detailed description and the accompanying figures, which illustrate by way of example the principles of the invention.
The present invention will be readily understood by the following detailed description in conjunction with the accompanying drawings, wherein like reference numerals designate like structural elements, and in which:
A detailed description of a preferred embodiment of the invention is provided below. While the invention is described in conjunction with that preferred embodiment, it should be understood that the invention is not limited to any one embodiment. On the contrary, the scope of the invention is limited only by the appended claims and the invention encompasses numerous alternatives, modifications and equivalents. For the purpose of example, numerous specific details are set forth in the following description in order to provide a thorough understanding of the present invention. The present invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the present invention is not unnecessarily obscured.
Application-layer network protocols such as HTTP, POP, and SMTP define a set of symbols, and rules for using them, which enable host computers to tell each other what they want to do. For example, a protocol may define symbols to be used to communicate requests to synchronize (establish a communication session), to acknowledge the receipt of requests, and to otherwise respond to requests (such as by providing requested information or an indication that a communication session has successfully been established). The rules of the protocol may define, for example, which sequences of symbols are valid (e.g., which symbols it is valid to send in response to a particular symbol received from another), the permissible length of messages (or a certain type of message), and which symbols correspond to commands that may only be sent by a user having a particular level of authorization or privilege.
All network protocols may be described as a set of states. For instance, in HTTP there is a state when the client first establishes communication with the server, a state after a request is sent when the client is waiting for a response from the server, and another state when the communication session is finished and about to be closed. The current state of the client system, for example, depends on which symbols have been interchanged between the client and the server.
Specific types of messages indicate that a state transition has taken place—and some types of state transitions indicate that a security related event has taken place, such as a possible attack. For instance, a SMTP (simple message transfer protocol, an e-mail protocol) client should not try to send a message without first identifying itself.
A system and method are disclosed for analyzing protocol streams to detect state transitions that indicate that a security related event has or may have taken place.
The system has been modified from the arrangement shown in
In one embodiment, the traffic communicated between client 202 and server 208 via network 204 is completed using a packet switched network protocol, such as the TCP/IP suite of protocols. In such an embodiment, messages sent by client 202 to server 208, and vice versa, are organized into one or more discrete packets and each packet is sent separately to the destination. Each packet includes, for example, identifying information indicating the source address and the destination address for the packet, such as the IP address of the sender and the IP address of the intended recipient along with the port number being used by the sender to send the packet and the port number to be used by the recipient to receive the packet. In addition, each packet includes a sequence number indicating its proper placement in the series of packets being sent by the sender to the recipient. The sequence number is used by the recipient system to place the packets received from the sending system in the correct order, enabling the recipient system to reassemble the message into its proper order.
The tracking system 214 may be configured in one embodiment to receive via copy port connection 218 a copy of all traffic being delivered to or sent by server 208 via network connection 212. The tracking system would associate each incoming packet of the packet stream being sent by client 202 to server 208 with a communication session between client 202 and server 208 being tracked by tracking system 214. In one embodiment, the tracking system would assemble packets sent from client 202 to server 208, and vice versa, into their proper order, thereby enabling the tracking system 214 to analyze the messages being transmitted between client 202 and server 208.
In one embodiment, a copy of the data stream portion 300 is stored in the tracking system for analysis and a pointer 308 is employed to keep track of the starting point for the string of message characters currently being analyzed by the tracking system. In
In one embodiment, a copy of the entire data stream is stored in the tracking system until analysis of the data stream has been completed. In one embodiment, a copy of the data stream is not stored if the tracking system receives the packets of the data stream in order. In one such embodiment, the data packets are analyzed as they are received, and only the following information is stored by the tracking system: an identification of the current state, an identification of the current symbol or string being matched, and sufficient bytes of past data to enable further analysis of the portion of the data stream being analyzed in the event of a failed match. For example, in one embodiment if the portion of the data stream beginning with the character “Z” in data packet 302 of
As described more fully below, in one embodiment the tracking system is configured to systematically analyze strings of characters included in messages exchanged between client 202 and server 208 to identify specific characters, strings of characters, operations, requests, commands, and the like that may indicate that a security event, such as an attempt to gain unauthorized access to data stored in server 208 or to cause server 208 to perform some unauthorized operation or service, may be taking place. The analysis by the tracking system of packet streams such as packet stream 300 of
As described above, a network protocol may be understood and represented as a plurality of states in which a host system communicating under the network protocol may be placed by sending and receiving messages having the format and content prescribed by the network protocol specification. Using the network protocol specification, it is possible to construct a state machine which keeps track of the current state of a host system participating in a communication session using a network protocol by tracking the messages exchanged via the network by the host system and the system or systems with which it is communicating. Such a state machine must be configured to recognize commands that are valid under the network protocol specification and which result in a transition from one state to another. For example, a client system in an initial unsynchronized state may seek to establish communication using the network protocol with a server system. The initial state for the client system would be the “unsynchronized” state. The client system may seek to establish communication with the server system by sending a synchronization request message to the server system. Under certain network protocols the client system and the server system would then exchange a series of acknowledgement and reply messages, until both sides had sent messages establishing the communication session between them and all messages sent by each side for the purpose of establishing the communication session had been acknowledged by the other side. Once the final acknowledgement message had been sent and received, the client system would transition from the unsynchronized state to a synchronized state. Invalid messages sent by a client system to a server system, for example, would not be recognized under the network protocol and may result in the client system transitioning to an error state in which, for example, an error message would be displayed to the user of the client system indicating that an impermissible or unrecognized operation had occurred preventing establishment of the communication session with the server system.
The above simplified example shows how an operation such as the establishment of a new communication session may be modeled as a set of states, in this case the unsynchronized state, the synchronized state, and the error state, and a set of rules defining transitions between those states. In one embodiment, a tracking system such as tracking system 214 of
By using such a state machine to model normal and permitted behavior and conditions under a network protocol, a tracking system such as tracking system 214 of
While the simple example shown in
If the process advances to step 508 at any point in any one of the steps described above, the process then advances to step 516 in which it is determined whether the initial character at which the pointer is pointing is an H. If it is determined in step 516 that the initial character is not an H, the process advances to step 517 in which the one character at which the pointer is pointing is accepted as valid and the pointer is advanced to the next character in order. If the one character is accepted in step 517 and the pointer advanced to the next character in order, the process returns to the start step 502 and continues, with analysis beginning at the new character at which the pointer is now pointing. If in step 516 it is determined that the first character is an H, the process proceeds to step 518 in which it is determined whether the first character following the character at which the pointer is pointing is an E. If the first character following the character at which the pointer is pointing is not an E, the process proceeds to step 517 and one character is accepted and the pointer advanced. If it is determined in step 518 that the first character following the character at which the pointer is pointing is an E, the process advances to step 520 in which it is determined whether the second character following the character to which the pointer is pointing is an L. If it is determined in step 520 that the second character following the character at which the pointer is pointing is not an L, the process advances to step 517 and one character is accepted and the pointer advanced to the next character in order. If it is determined in step 520 that the second character following the character at which the pointer is pointing is an L, the process advances to step 522 in which it is determined whether the third character following the character at which the pointer is pointing also is an L. If it is determined in step 522 that the third character following the character at which the pointer is pointing is not an L, the process advances to step 517 in which one character is accepted and the pointer advanced to the next character in order. If it is determined in step 522 that the third character following the character at which the pointer is pointing is an L, the process advances to step 524 in which it is determined whether the fourth character following the character at which the pointer is pointing is the letter O. If it is determined in step 524 that the fourth character following the character at which the pointer is pointing is not the letter O, the process proceeds to step 517 in which the character at which the pointer is point is accepted and the pointer is advanced to the next character in order. If it is determined in step 524 that the fourth character following the character to which the pointer is pointing is an O, the process proceeds to step 526 in which the error “HELLO” is performed. The process then ends in step 514.
Relating the process shown in
In one embodiment, as described above, the tracking system retains a copy of only that portion of the network protocol stream currently under analysis. In such an embodiment, a data packet is discarded once the portion of the protocol stream of which it is a part has been analyzed, such as by determining that the portion of the protocol was part of a recognized and permitted transition from one state to another, or part of an otherwise permitted string corresponding to the current state of the host system.
To illustrate further how the state machine shown in
One can see from
As shown in
The state diagram shown in
The second transition shown in the state diagram of
The third transition illustrated in
Once the client system has transitioned to the “finger request done” state 604, the tracking system continues to monitor data received from the client system to confirm that no excess data is sent by the client system after the finger request has been completed successfully. If such excess data is received from the client system after the completion of the finger request, the client system is transitioned from the “finger request done” state 604 to the “do error and discard” state 606 via the “excess data” transition 616. The sending of excess data after the completion of an otherwise valid finger request may indicate that a security event is taking place.
In the state diagram of
As one can see from the state diagram shown in
To avoid the necessity to write computer code to implement a series of comparison steps, such as those shown in
Free Online Dictionary of Computing (Denis Howe 1993) (presently found at http://foldoc.doc.ic.ac.uk/foldoc/index.html).
Using regular expressions, a computer may be programmed to identify the presence of the character or character string being sought and to take appropriate action in response to the character or character string being found in the data stream. The use of regular expressions was pioneered by mathematician Stephen Cole Kleene in the mid-1950's as a notation to easily manipulate “regular sets”, formal descriptions of the behavior of finite state machines, in regular algebra. Kleene's work is summarized in S. C. Kleene, “Representation of Events in Nerve Nets and Finite Automata” (1956, Automata Studies, Princeton), which is incorporated herein by reference for all purposes. Additional background information regarding regular expressions may be found in J. H. Conway, “Regular Algebra and Finite Machines” (1971, Chapman & Hall, Eds.), which is incorporated herein by reference for all purposes. Additional background information concerning the use of regular expressions can be found in the book entitled, “Mastering Regular Expressions,” by Jeffrey E. F. Fried (O'Reilly 1997), which is incorporated herein by reference for all purposes.
The set of regular expressions used in one embodiment to implement the state machine shown in
1
tcp_server discard_state;
2
tcp_client finger_client_unsynched;
3
4
state finger_client_unsynched {
5
%ignore wide form
6
“/W”;
7
enter(finger_client_unsynched);
8
9
“/W\r\n”;
10
enter(finger_client_done);
11
12
%detect backdoors
13
“ypi0ca”;
14
doerror(FINGER_CDK_BACKDOOR);
15
enter(discard_state);
16
17
“search”;
18
doerror(FINGER_SEARCH_REQUEST);
19
enter(discard_state);
20
21
“r[o0][o0]t”;
22
doerror(FINGER_ROOT_REQUEST);
23
enter(discard_state);
24
25
%disallow a purely numeric request
26
“[0-9.]*\r\n”;
27
doerror(FINGER_ONLYNUMERIC_REQUEST);
28
enter(discard_state);
29
30
%disallow some metacharacters
31
%if the request does not contain @, &, ;, ', $, /, <, or >
32
%followed by a carriage return and line feed, it's okay
33
“[{circumflex over ( )}@&;'$/<>*\r]*\r\n”;
34
enter(finger_client_done);
35
36
%else, it's something bad.
37
% if it contains the @ sign it's a forwarding request
38
“[{circumflex over ( )}@&;'$/<>*\r]*@”;
39
doerror(FINGER_FORWARDING_ATTEMPT);
40
enter(discard_state);
41
42
%else it violates the rule above for some reason we don't specifically
43
%enumerate here.
44
“.”;
45
doerror(FINGER_BAD_REQUEST);
46
enter(discard_state);
47
}
48
49
state finger_client_done {
50
% alert if client sends anything after it has sent a complete request
51
“.”;
52
doerror(FINGER_EXCESS_DATA);
53
enter(discard_state);
54
}
55
56
end;
Line 1 of the above set of regular expressions instructs the tracking system to ignore any messages sent by the server and focus only on the messages sent by the client to the server. Line 2 identifies the following regular expressions, through the end, as defining the state machine for the finger request operation, from the perspective of the client system. (Blank lines, such as line 3, and comments lines, which are those lines that begin with the percent character “%” and which do not operate as computer instructions, are not described in detail in this discussion of the above set of regular expressions but are included above for clarity and readability.) Lines 4-47 represent the finger request unsynchronized state, from the client side, and the various possible transitions from that state. Lines 49-54 represent the finger request done state, from the client side, and the possible transition from that state.
More specifically, lines 6 and 7 implement a transition from the finger request unsynchronized state back to the same state if the wide form request specifier characters “/W” are matched. This transition corresponds in one embodiment to the ignore wide form request transition 608 of
Lines 9 and 10 implement a transition from the finger request unsynchronized state to the finger request done state if a permitted wide form request, comprising the wide form specifier “/W” followed by a carriage return and line feed (represented by the characters “\r\n”), is entered. This transition corresponds in one embodiment to the permitted wide form request transition 610 shown in
Lines 13-23 implement three possible transitions from the finger request unsynchronized state to the finger client error and discard state. In one embodiment, the three transitions implemented by lines 13-23 detect so-called “backdoors”, which may be used in some instances to gain unauthorized access to or control over a server system. Lines 13-15 detect the CDK backdoor by matching the string “ypi0ca” in a finger request. If the CDK backdoor is detected an error operation, such as sending an alert, is performed and the client is transitioned to the error and discard state. Lines 17-19similarly perform a (different) error and transition the client to the discard state if the string “search” is matched. Lines 21-23 respond similarly if the regular expression “r[o0][o0]t” is matched, which would occur, for example, if the strings “root” or “r00t” or “ro0t” or “r0ot” appeared in the finger request. Each of the transitions defined by lines 13-23 correspond in one embodiment to one of a plurality of possible transitions corresponding to disallowed or not recognized transition 614 of
Lines 26-28 operate to disallow purely numeric finger requests, which may indicate a security event. If a purely numeric request is detected, a corresponding error operation is performed and the client is transitioned to the error and discard state. In one embodiment, the transition defined by lines 26-28 is one of a plurality of possible transitions corresponding to disallowed or not recognized transition 614 of
Lines 33-34 allow finger requests that have not violated any of the above-described rules and which do not contain any of the metacharacters indicated in the regular expression on line 33, such as “^”, “@”, “&”, etc. If such an allowed finger request is detected, the client is transitioned to the finger client done state. The transition defined by lines 33-34 corresponds in one embodiment to the “not disallowed” transition 612 of
Lines 38-40 and lines 44-46 define what happens if the rule defined by lines 33-34 is not satisfied, such as because the request contains one or more of the disallowed metacharacters. Lines 38-40 first check to see if the disallowed character “@” is included. If so, the request is flagged as a forwarding attempt, a corresponding error operation is performed, and the client is transitioned to the error and discard state. If the request does not satisfy the rule defined by lines 33-34 and is not found by operation of the regular expression on lines 38-40, i.e., it contains one or more disallowed metacharacters but not the “@” character, lines 44-46 operate to perform a generic “bad request” error operation and transition the client to the error and discard state. In one embodiment, the transition defined by lines 38-40 and the transition defined by lines 44-46 each is one of a plurality of possible transitions corresponding to “disallowed or not recognized” transition 614 of
The final transition defined by the above set of regular expressions is defined by lines 51-53. This regular expression detects if any data is sent by the client system after the client system has transitioned to the finger client done state. If such excess data is detected, a corresponding error operation is performed and the client is transitioned to the error and discard state.
The use of regular expressions such as those described above enables one to quickly and efficiently implement a state machine to model normal and permitted network protocol behavior and to detect deviations from such behavior that may indicate that a security event has taken or is taking place. The use of regular expressions makes unnecessary the time-consuming task of writing detailed code to perform the series of compare and other operations that would otherwise be necessary to implement such a state machine.
As described above, a compiler must be provided to transform the regular expressions used to define the state machine, such as the regular expressions set forth above defining the finger request state machine, to transform the regular expressions into the computer code necessary to perform the compare and other operations needed to implement the state machine defined by the regular expressions. In one embodiment, the regular expressions are compiled by a custom compiler into optimum or nearly optimum C code, which C code is then further compiled by a C compiler provided with the tracking system to obtain the machine code understood and used by the tracking system computer to perform the computations and operations necessary to implement the state machine. Well-known techniques in the art of computer code compiler design are used to provide a compiler capable of implementing a state machine based on a set of regular expressions. Specific exemplary techniques are described in “Lex & Yacc”, by John Levine, Tony Mason, and Doug Brown (O'Reilly 1992), which is incorporated herein by reference for all purposes.
In one embodiment, the process of implementing a set of regular expressions which describe a state machine is made even more efficient by taking advantage of similarities in the operations and computations that must be performed to implement two or more or the regular expressions used to define the state machine. For example, in the state machine shown in
As one can see by comparing the process shown in
In one embodiment, a tool is provided that is configured to change the order of at least certain of the regular expressions used to define a state machine by seeking to place regular expressions having similarities, such as the similarity in the HEY transition and the HELLO transition of the state machine of
In one embodiment, the tool provided to change the order of at least certain of the regular expressions used to implement a state machine is configured to only change the order of regular expression defining like transition rules. For example, in the example described above, each of the transitions HEY, HELLO, and RED represented a similar transition between the local state 402 and the error state 404. If instead one of those transitions had defined a transition between the local state 402 and a third state not shown in
Although the foregoing invention has been described in some detail for purposes of clarity of understanding, it will be apparent that certain changes and modifications may be practiced within the scope of the appended claims. It should be noted that there are many alternative ways of implementing both the process and apparatus of the present invention. Accordingly, the present embodiments are to be considered as illustrative and not restrictive, and the invention is not to be limited to the details given herein, but may be modified within the scope and equivalents of the appended claims.
Lyle, Michael P., Vekhter, Dan, Suzuki, Brandon
Patent | Priority | Assignee | Title |
11556441, | Apr 16 2021 | Credit Suisse AG, Cayman Islands Branch | Data storage cluster with quorum service protection |
7930742, | Jun 14 2004 | Lionic Corporation | Multiple-level data processing system |
Patent | Priority | Assignee | Title |
5325528, | Apr 22 1993 | HEWLETT-PACKARD DEVELOPMENT COMPANY, L P | Distributed computation recovery management system and method |
5347524, | Sep 13 1990 | Hewlett-Packard Company | Protocol analyzer |
5610903, | Dec 03 1993 | Advanced Micro Devices, Inc. | Auto negotiation system for a communications network |
6044445, | Jun 30 1995 | Kabushiki Kaisha Toshiba | Data transfer method and memory management system utilizing access control information to change mapping between physical and virtual pages for improved data transfer efficiency |
6122743, | Mar 31 1998 | Siemens Aktiengesellschaft | System for providing enhanced security for transactions transmitted through a distributed network |
6275574, | Dec 22 1998 | Cisco Technology, Inc | Dial plan mapper |
6292467, | Jun 19 1998 | GLOBALFOUNDRIES Inc | Apparatus and method of determining a link status between network stations connected to a telephone line medium |
6321338, | |||
6334192, | Mar 09 1998 | Computer system and method for a self administered risk assessment | |
6363458, | May 19 1998 | Korea Advanced Institute of Science and Technology | Adaptive granularity method for integration of fine and coarse communication in the distributed shared memory system |
6425009, | Jun 08 1999 | Cisco Technology, Inc. | Monitoring redundant control buses to provide a high availability local area network for a telecommunications device |
6467041, | May 06 1999 | LENOVO SINGAPORE PTE LTD | Third party host packet replication |
6484203, | Nov 09 1998 | SRI INTERNATIONAL, INC | Hierarchical event monitoring and analysis |
6487666, | Jan 15 1999 | Cisco Technology, Inc. | Intrusion detection signature analysis using regular expressions and logical operators |
6535551, | Nov 17 1999 | Macom Technology Solutions Holdings, Inc | DSL post-synchronization auto baud |
6539426, | Jan 28 1997 | British Telecommunications public limited company | Managing operation of servers in a distributed computing environment |
6604075, | May 20 1999 | Alcatel Lucent | Web-based voice dialog interface |
6609205, | Mar 18 1999 | Cisco Technology, Inc | Network intrusion detection signature analysis using decision graphs |
6628624, | Dec 09 1998 | Cisco Technology, Inc | Value-added features for the spanning tree protocol |
6665650, | Jun 15 2000 | VERIGY SINGAPORE PTE LTD | Intelligent logic activity resolution |
6665725, | Jun 30 1999 | PACKET INTELLIGENCE LLC | Processing protocol specific information in packets specified by a protocol description language |
6704874, | Jul 25 2000 | SRI International | Network-based alert management |
6708212, | Nov 09 1998 | SRI International | Network surveillance |
6711615, | Nov 09 1998 | SRI International | Network surveillance |
20030118029, | |||
EP474932, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Sep 25 2001 | Symantec Corporation | (assignment on the face of the patent) | / | |||
Jan 23 2002 | LYLE, MICHAEL P | RECOURSE TECHNOLOGIES, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 012624 | /0479 | |
Jan 23 2002 | VEKHTER, DAN | RECOURSE TECHNOLOGIES, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 012624 | /0479 | |
Jan 23 2002 | SUZUKI, BRANDON | RECOURSE TECHNOLOGIES, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 012624 | /0479 | |
Aug 19 2002 | RECOURSE ACQUISITION CORP | RECOURSE TECHNOLOGIES, INC | MERGER SEE DOCUMENT FOR DETAILS | 013652 | /0847 | |
Aug 19 2002 | RECOURSE TECHNOLOGIES, INC | RECOURSE TECHNOLOGIES, INC | MERGER SEE DOCUMENT FOR DETAILS | 013652 | /0847 | |
Feb 03 2003 | RECOURSE TECHNOLOGIES, INC | Symantec Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 013755 | /0578 | |
Nov 04 2019 | Symantec Corporation | CA, INC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 051144 | /0918 |
Date | Maintenance Fee Events |
Jan 28 2013 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Dec 28 2016 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Mar 15 2021 | REM: Maintenance Fee Reminder Mailed. |
Aug 30 2021 | EXP: Patent Expired for Failure to Pay Maintenance Fees. |
Date | Maintenance Schedule |
Jul 28 2012 | 4 years fee payment window open |
Jan 28 2013 | 6 months grace period start (w surcharge) |
Jul 28 2013 | patent expiry (for year 4) |
Jul 28 2015 | 2 years to revive unintentionally abandoned end. (for year 4) |
Jul 28 2016 | 8 years fee payment window open |
Jan 28 2017 | 6 months grace period start (w surcharge) |
Jul 28 2017 | patent expiry (for year 8) |
Jul 28 2019 | 2 years to revive unintentionally abandoned end. (for year 8) |
Jul 28 2020 | 12 years fee payment window open |
Jan 28 2021 | 6 months grace period start (w surcharge) |
Jul 28 2021 | patent expiry (for year 12) |
Jul 28 2023 | 2 years to revive unintentionally abandoned end. (for year 12) |